Due to its relatively new and complex nature, there is no straightforward method for categorizing a cyberattack as a digital act of war, according to witnesses at a House Oversight Committee hearing on Wednesday.
“Cyber activities may, in certain circumstances, constitute an armed attack, which triggers our inherent right to self-defense as recognized by Article 51 of the U.N. charter,” said Chris Painter, coordinator for cyber issues at the U.S. Department of State. He and other witnesses, however, gave no direct definition for what those circumstances would be.
“Incidents described as cyberattacks or computer network attacks are not necessarily armed attacks for the purposes of triggering a nation-state’s inherent right of self-defense,” said Aaron Hughes, deputy assistant secretary for cyber policy at the U.S. Department of Defense. “When determining whether a cyber incident constitutes an armed attack, the U.S. government considers a broad range of factors, including the nature and extent of injury or death to persons and the destruction of or damage to property.”
Part of the determination of cyber warfare has to do with international law and consensus, which would judge whether a country’s countermeasures on a cyberattack were warranted. Retired Gen. Keith Alexander, CEO and president of IronNet Cybersecurity, testified that the U.S. must be in agreement with its international allies on this issue.
Agreeing with Alexander, Painter pointed to the State Department’s Framework for Stability in Cyberspace as a starting point for international discussion and regulation.
“This framework has three key elements: first, the affirmation that existing international law applies to State behavior in cyberspace. Second, the development of an international consensus on and in the promotion of additional voluntary norms of responsible State behavior in cyberspace that apply during peacetime. And third, the development and implementation of practical confidence building measures, or CBMs, among States,” Painter said.
In spite of these descriptions and frameworks, some congressmen were frustrated with the lack of a concise definition of a digital act of war and who would be making that determination in the event of an attack.
“I’m concerned with the lack of clarity on this,” said Rep. Jody Hice, R-Ga.
“A lot of discussion is focused on act of war. I actually think that’s the wrong focus,” said Sean Kanuck, counsel for Legal and Strategic Consulting Services, explaining that it could prompt attackers to skate just below the threshold for an act of war.
Painter agreed, saying, “Strategic ambiguity could very well deter most states from getting close to the threshold of an armed attack.”
The witnesses also cautioned that the U.S. should not limit itself to a specific type of retaliation, but rather should act flexibly on a case-by-case basis.
“For example, with IP theft it makes no sense to limit ourselves to retaliation with the exact same action in the same domain,” said Peter Warren Singer, strategist and senior fellow for New America. It therefore would become important to address a broad range of retaliation options.
“As a nation, we still lack both a strategic approach to this problem, and a practical, effective set of solutions to deter malicious and adversarial behavior in cyberspace,” Kanuck said. He and other witnesses stress the importance of deterrents.
“If everything is based on after-the-fact forensics, then you’ve already lost something,” Alexander said.